linux poison RSS
linux poison Email

How to configure Linux as Internet Gateway for small office

This tutorial shows how to set up network-address-translation (NAT) on a Linux system with iptables rules so that the system can act as a gateway and provide internet access to multiple hosts on a local network using a single public IP address. This is achieved by rewriting the source and/or destination addresses of IP packets as they pass through the NAT system.

[Note] The location of the files (ifcfg-ethx, network. etc ..) mentioned below might be different in different distribution, check the manuals of your distribution to edit the correct file.

Step by Step Procedure

Step 1. Add 2 Network cards to the Linux box

Step 2. Verify the Network cards, check if they installed properly or not

Step 3. Configure eth0 for Internet with a Public (External network or Internet)
# cat ifcfg-eth0
BROADCAST=xx.xx.xx.255    # Optional Entry
HWADDR=00:50:BA:88:72:D4    # Optional Entry
NETMASK=    # Provided by the ISP
NETWORK=xx.xx.xx.0       # Optional
GATEWAY=xx.xx.xx.1    # Provided by the ISP
Step 4. Configure eth1 for LAN with a Private IP (Internal private network)
# cat ifcfg-eth1
HWADDR=00:50:8B:CF:9C:05    # Optional
NETMASK=        # Specify based on your requirement
IPADDR=        # Gateway of the LAN
NETWORK=        # Optional
 Step 5. Host Configuration    (Optional)
# cat /etc/hosts       nat localhost.localdomain   localhost

Step 6. Gateway Configuration
# cat /etc/sysconfig/network
    GATEWAY=xx.xx.xx.1    # Internet Gateway, provided by the ISP
Step 7. DNS Configuration
# cat /etc/resolv.conf
    nameserver      # Primary DNS Server provided by the ISP
    nameserver      # Secondary DNS Server provided by the ISP
Step 8. NAT configuration with IP Tables
First of all you have to flush and delete existing firewall rules. So flush rules by typing in terminal:
iptables -F
iptables -t nat -F
iptables -t mangle -F
Now delete these chains:
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Set up IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
# Enables packet forwarding by kernel (save this setting in /etc/sysctl.conf file)
echo 1 > /proc/sys/net/ipv4/ip_forward
 #Apply the configuration
service iptables save
service iptables restart
 # Check if iptables is set to start during boot up
chkconfig –list iptables
 Step 9. Testing
Ping the Gateway of the network from client system: ping
Try it on your client systems: ping

Configuring PCs on the network (Clients)
All PC's on the private office network should set their "gateway" to be the local private network IP address of the Linux gateway computer.
The DNS should be set to that of the ISP on the internet.

Windows 2000, XP,  Configuration:
Select "Start" + Settings" + "Control Panel"
Select the "Network" icon
Select the tab "Configuration" and double click the component "TCP/IP" for the ethernet card. (NOT the TCP/IP -> Dial-Up Adapter)

Select the tabs:
"Gateway": Use the internal network IP address of the Linux box. (
"DNS Configuration": Use the IP addresses of the ISP Domain Name Servers.
"IP Address": The IP address (192.168.XXX.XXX - static) and netmask (typically for a small local office network) of the PC can also be set here.


Anonymous said...

Try this out:

Anonymous said...

this is very old now, is it possible to update it for 2011???

Bidemi A. Olaiya said...

Hello... I run a small WISP with Public IP address system. I intend to be able to control the Access outside of the bandwidth management so as to be able to automatically discontinue the service for clients that choose not to pay at due dates. each BTS is a routed Network. So i intend to use their Public IP addresses.

Can anybody help out?

Post a Comment

Related Posts with Thumbnails